Shibboleth Developers

["Howard Gilbert" <>]

> Can't we just do some JNDI magic to allow the session data to span
> these contexts without re-directs?

We already have magic to allow the Session object (managed by the
/shibboleth context), to be available upon request to the Resource Managers.
The purpose of the cookie is not to carry the Session data, but only to
identify the session. Only the Browser can carry a token that identifies an
HTTP request with some existing server-side state. So again it becomes a
problem for cookies and their scope.

The purpose of the redirects is not to move the session data around. It is
to redirect the Browser from a URL scope where no cookie has been assigned
to a trusted, authoritative URL within the scope of a preexisting cookie.
There the cookie can be read, the identity of the Browser can be
established, and then the old Session ID can be extended to the new context
where a new cookie can be issued for it.